[joxeankoret_at_yahoo_dot_es: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file]
Hi allotogether,
I just received a message at debian's BTS [1] which reports a possible security flaw in inkscape. It is surely a DOS since here on my PowerBook inkscape simply crashes saying wolfi@...453...:/tmp $ inkscape poc.svg
Emergency save activated! Segmentation fault (core dumped)
I attach the backtrace, which shows that inkscape is rather irritated: Core was generated by `aaaaaaaaaaaaaaaaa'.
BTW, vim's syntax highlighter has certain toubles when editing this file, too.
Thanks,
Wolfi
[1] http://bugs.debian.org/330894
----- Forwarded message from Joxean Koret <joxeankoret_at_yahoo_dot_es> -----
Subject: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file Reply-To: Joxean Koret <joxeankoret_at_yahoo_dot_es>, 330894@...499... Resent-From: Joxean Koret <joxeankoret_at_yahoo_dot_es> Resent-To: debian-bugs-dist@...501... Resent-Cc: Wolfram Quester <wolfi@...111...> Resent-Date: Fri, 30 Sep 2005 10:48:06 UTC Resent-Message-ID: <handler.330894.B.11280765119494@...499...> X-Debian-PR-Message: report 330894 X-Debian-PR-Package: inkscape X-Debian-PR-Keywords: From: Joxean Koret <joxeankoret_at_yahoo_dot_es> To: submit@...499... Date: Fri, 30 Sep 2005 12:51:04 +0200 Resent-Sender: Debian BTS <debbugs@...499...> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at honk.physik.uni-konstanz.de X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at honk.physik.uni-konstanz.de
Subject: inkscape: Arbitrary code execution opening a file Package: inkscape Version: 0.41-4.99.sarge0 Severity: grave Justification: user security hole
Inkscape is vulnerable to, almost, one buffer overflow that may allow arbitrary code execution. I contacted the Inkscape team but, at the moment, there is no patch for the issue.
Attached goes a Proof Of Concept.
NOTE: I think the problem may not be exploitable because you need to write a shellcode using only valid XML characters.
Regards, Joxean Koret
-- System Information: [...snip...]
----- End forwarded message -----
Versions of inkscape before 2005-07-27 (apparently including 0.41) include this code in style.cpp:
sp_style_merge_from_style_string (SPStyle *style, const gchar *p) { gchar property [BMAX]; gchar value [BMAX];
and subsequently do an unchecked memcpy into one or other of them.
If we want to prepare a minimal fix for 0.41 rather than urging upgrading to 0.42, then we shouldn't just use the 2005-07-27 change (viz. using libcroco), but, say, strdup or realloc.
Is it indeed desired to make a backport?
pjrm.
On Mon, 2005-10-03 at 13:58 +1000, Peter Moulder wrote:
If we want to prepare a minimal fix for 0.41 rather than urging upgrading to 0.42, then we shouldn't just use the 2005-07-27 change (viz. using libcroco), but, say, strdup or realloc.
Is it indeed desired to make a backport?
If a lot of stable versions of distros shipped 0.41, the distro people might value it. But it would be good to notify them. and maybe issue some sort of security advisory or something.
-mental
On Mon, Oct 03, 2005 at 12:48:49AM -0400, MenTaLguY wrote:
On Mon, 2005-10-03 at 13:58 +1000, Peter Moulder wrote:
Is it indeed desired to make a backport?
If a lot of stable versions of distros shipped 0.41, the distro people might value it. But it would be good to notify them. and maybe issue some sort of security advisory or something.
This bug affects 0.41 and 0.42.x, but not 0.40 or current CVS.
I've made a patch and have applied it to RELEASE_0_41_BRANCH and RELEASE_0_42_BRANCH, but haven't tested it (due to lack of hard disk space... must get a new hard drive some day). Can someone else test?
What distributions have shipped inkscape 0.41 or 0.42.x ? Debian, gentoo, winlibre, SuSE/Novell (?); any others?
What's the right procedure for organizing a coordinated release of the fix?
pjrm.
Quoting Peter Moulder <Peter.Moulder@...38...>:
This bug affects 0.41 and 0.42.x, but not 0.40 or current CVS.
I've made a patch and have applied it to RELEASE_0_41_BRANCH and RELEASE_0_42_BRANCH, but haven't tested it (due to lack of hard disk space... must get a new hard drive some day). Can someone else test?
What distributions have shipped inkscape 0.41 or 0.42.x ? Debian, gentoo, winlibre, SuSE/Novell (?); any others?
What's the right procedure for organizing a coordinated release of the fix?
Well, since 0.42 is affected, we'd better go ahead and do a proper 0.42.3 release. I guess 0.41.1 wouldn't hurt either, for the distros.
In this case we mostly just need to roll the version number in the relevent files (as described in CreatingDists), and tag the new release. Then we kick the normal packaging machinery into gear.
I'll take responsibility for preparing and tagging 0.42.3 and 0.41.1 if you like, since I've been doing that kind of thing recently anyway.
-mental
On Mon, Oct 03, 2005 at 03:40:16PM +1000, Peter Moulder wrote:
On Mon, Oct 03, 2005 at 12:48:49AM -0400, MenTaLguY wrote:
On Mon, 2005-10-03 at 13:58 +1000, Peter Moulder wrote:
Is it indeed desired to make a backport?
If a lot of stable versions of distros shipped 0.41, the distro people might value it. But it would be good to notify them. and maybe issue some sort of security advisory or something.
This bug affects 0.41 and 0.42.x, but not 0.40 or current CVS.
I've made a patch and have applied it to RELEASE_0_41_BRANCH and RELEASE_0_42_BRANCH, but haven't tested it (due to lack of hard disk space... must get a new hard drive some day). Can someone else test?
What distributions have shipped inkscape 0.41 or 0.42.x ? Debian, gentoo, winlibre, SuSE/Novell (?); any others?
What's the right procedure for organizing a coordinated release of the fix?
Has there been further work on this? I'm adding mention of it to the homepage; it would be good to create and upload packages to the download page and so forth.
Bryce
Quoting Bryce Harrington <bryce@...961...>:
Has there been further work on this? I'm adding mention of it to the homepage; it would be good to create and upload packages to the download page and so forth.
Peter merged the fix and I tagged 0.41.1 and 0.42.3 some time back -- as far as I know nobody's built any packages though.
-mental
mental@...3... wrote:
Quoting Bryce Harrington <bryce@...961...>:
Has there been further work on this? I'm adding mention of it to the homepage; it would be good to create and upload packages to the download page and so forth.
Peter merged the fix and I tagged 0.41.1 and 0.42.3 some time back -- as far as I know nobody's built any packages though.
Do we want autopackages?
Aaron Spike
participants (5)
-
unknown@example.com -
Bryce Harrington -
MenTaLguY -
Peter Moulder -
Wolfram Quester